Internet Protocol (IP) networks bear more and more services in various aspects of national economy and social life, and especially, wireless IP networks transmit data by radio wave to thereby make the networks physically open to an unprecedented extent. Therefore, the issue of secure access has become a crucial issue of securing the networks in operation.
The national standards GB 15629.11 and GB 15629.1102 for wireless local area networks were published in May, 2003 in P. R. China, which are initially published standards in the field of wireless local area networks in P. R. China. Also, the No. 1 amendment of the national standard for wireless local area networks, GB15629.11-2003/XGI-2006, and relevant sub-standards GB15629.1101, GB/T 15629.1103 and GB 15629.1104 were published in 2006, and thus a hierarchy of national standards for wireless local area networks is essentially formed. The hierarchy includes a new security mechanism of WLAN Authentication and Privacy Infrastructure (WAPI).
As demands for mobile computing services increase, users demand more for network access for roaming. A Wireless Local Area Network (WLAN) provides a user with a wireless access to the network, so that the user will not be constrained due to a single cable for an access to the network but can be flexibly mobile to satisfy a demand of the user for a mobile access to the network. When the WLAN is applied in operation scenarios, the network extends in scale to respective geographical areas throughout the country, thus resulting in a very large number of users and frequent occurrences of roaming. In the case of roaming, how to address the issue of authentication is a key to the normal operation of the network. The WAPI offers a security mechanism based upon a certificate and a pre-shared key. Particularly, the certificate mechanism is applicable to operation application scenarios. However, the national standards for the WLAN define only an interface for an AS to authenticate a certificate, but do not define any specific certification roaming authentication method.
There is disclosed in Patent Application 200710017450.1 a certification roaming authentication method based on WAPI, in which a roaming terminal firstly has to obtain a certificate of a foreign authentication server through a certain mechanism to establish a trust relationship, and then performs a certificate-based roaming authentication, and also, the authentication server has to obtain a certificate of a home authentication server of a user to establish a trust relationship. This may be infeasible in some practical situations because the terminal has no any other approach than a wireless WLAN to access a network and thus fails to obtain the certificate of the foreign authentication server and to establish any trust relationship. Consequently, the terminal may not perform the roaming authentication.